Cybersecurity is a team sport

The United States Department of Defense released a new cyber strategy on April 23, revealing how the US views cybersecurity in the post-Snowden era. One trend is immediately clear: The strategic use of cyberspace to pursue political goals and seek geostrategic advantage is rapidly increasing in today’s world.

The new cyberstrategy represents a big step forward in the global cyber policy and military debate. It is far more comprehensive and transparent than its predecessor, which debuted in 2011. The world’s most technologically advanced nation wants to be more transparent about its military doctrine, policy, roles, and missions in cyberspace, which makes the strategy interesting to read and evaluate — outside of the US.

The US is ahead of Europe when it comes to integrating cybersecurity into its foreign and security policies. Europe would be foolish not to follow and learn from its example. As with most security issues, there are signs that in cybersecurity the default behavior for most European countries seems to be to follow the US approach. For the US, the biggest challenges at the moment are: updating all legal frameworks, strengthening cyber rules of engagement for the military, building cyber deterrents, and clarifying the roles and cooperation of the government and private sector.

Europeans can learn from five main take-aways from the US’s new cyber strategy.

Cybersecurity must be taken more seriously and planned strategically in Europe. The US’s strategy cybersecurity is more holistic and strategic than ever before. The US intelligence community’s annual threat assessment once again identified cyberattacks as the most serious threat to national security. The same emphasis is not present in European countries, even though US Director of National Intelligence James Clapper has estimated that the Russian cyber threat is more severe than was previously thought.

Europeans have been aware for many years that the US is worried about a “cyber Pearl Harbor” or “cyber 9/11” that would cause physical destruction and loss of life. But cybersecurity is rarely discussed in those terms on the Continent.

The new US cyber strategy contains no “cyber 9/11” alarmism. Europeans should take heed of US estimations that cyber attacks will focus on low and moderate levels. These consist primarily of cyber espionage, information operations, denial of services and degradation of information integrity. These are not dramatic attacks, but rather longer-term threats that aim to influence the target country’s economic competitiveness or social mood.

The digital domain has become an arena where strategic advantage can be won or lost, the latter being more likely without serious indigenous cyber capabilities. The new US strategy is the first public indicator that the US plans to use cyberwarfare in conflict. This means that Europe must also place more emphasis on offensive cyber capabilities, which are increasingly becoming the norm.

In most European countries, it is not popular to publicly discuss offensive cyber weaponry. But it is necessary to explain the necessity of offensive cyber capabilities to the general public. Increased transparency with regard to offensive weapons requires that cyber command structures must be made clear; the US strategy clearly stipulates when and by whom they should be used. The new guidelines also mean that the speed and significance of the digital arms race will accelerate.

US cyber strategy can be understood as a strategy of cyber deterrence. It emphasizes the US’s capability to identify cyber attackers, the creation of well-resourced cyber force, and readiness to punish attackers in cyberspace. The US hopes to send a clear message: Don’t mess with us in the digital domain.

Historically deterrence has required three elements: attribution, signaling, and credibility. These are at the heart of the new US cyber strategy.

But even though the US is the most advanced country in the world when it comes to cyber, its new cyber strategy emphasizes that cybersecurity is ultimately a team sport.

No one can succeed by themselves. Governments need to cooperate with the private sector and to practice basic cyber-hygiene, the most cost-effective way to increase cyber security. International cooperation is essential, and Europe is a key partner for the US.

Most importantly, the new US cyber strategy emphasizes that we have to stay alert to activity in the digital domain. Nation-states, non-state actors, as well as skilled terrorist groups and individuals are all players in the digital domain, and their operations are becoming increasingly sophisticated. European nations should take a queuefrom US Defense Secretary Ashton Carter, who, when presenting the new cyber strategy, cautioned, “In cyber I worry about what we don’t know.”

Jarno Limnéll is a professor of cybersecurity at Finland’s Aalto University and VP of cybersecurity in Insta DefSec Ltd.